<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this feature is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be.

<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this feature is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be.

Line 286:

Line 286:

* See [[Talk:Features/DogtagCertificateSystem]]

* See [[Talk:Features/DogtagCertificateSystem]]

−

[[Category:FeatureReadyForWrangler]]

+

[[Category:FeatureAcceptedF13]]

<!-- When your feature page is completed and ready for review -->

<!-- When your feature page is completed and ready for review -->

<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->

<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->

<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->

<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->

<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Dogtag Certificate System

Summary

Dogtag Certificate System is an enterprise-class open source Certificate Authority (CA) supporting all aspects of certificate lifecycle management including key archival, OCSP and smartcard management.

User Experience

Dogtag Certificate System is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments.

This full-featured PKI solution includes a complete Smartcard Management system as well as support for all aspects of certificate lifecycle management including:

Certificate Authority (CA)

A required PKI subsystem which issues, renews, revokes, and publishes certificates as well as compiling and publishing Certificate Revocation Lists (CRLs). The Dogtag Certificate Authority can be configured as a self-signing Certificate Authority (CA), where it is the root CA, or it can act as a subordinate CA, where it obtains its own signing certificate from a public CA.

Data Recovery Manager (DRM)

An optional PKI subsystem that can act as a Key Recovery Authority (KRA). When configured in conjunction with the Dogtag Certificate Authority, the Dogtag Data Recovery Manager stores private encryption keys as part of the certificate enrollment process. The key archival mechanism is triggered when a user enrolls in the PKI and creates the certificate request. Using the Certificate Request Message Format (CRMF) request format, a request is generated for the user's private encryption key. This key is then stored in the Dogtag Data Recovery Manager which is configured to store keys in an encrypted format that can only be decrypted by several agents requesting the key at one time, providing for protection of the public encryption keys for the users in the PKI deployment.

Note that the Dogtag Data Recovery Manager archives encryption keys; it does not archive signing keys, since such archival would undermine nonrepudiation properties of signing keys.

Online Certificate Status Protocol (OCSP) Manager

An optional PKI subsystem that can act as a stand-alone Online Certificate Status Protocol (OCSP) service. The Dogtag Online Certificate Status Protocol Manager performs the task of an online certificate validation authority by enabling OCSP-compliant clients to do real-time verification of certificates. Note that an online certificate-validation authority is often referred to as an OCSP Responder.

Although the Dogtag Certificate Authority is already configured with an internal OCSP service. An external OCSP Responder is offered as a separate subsystem in case the user wants the OCSP service provided outside of a firewall while the Dogtag Certificate Authority resides inside of a firewall, or to take the load of requests off of the Dogtag Certificate Authority.

When an instance of Dogtag Online Certificate Status Protocol Manager is set up with an instance of Dogtag Certificate Authority, and publishing is set up to this Dogtag Online Certificate Status Protocol Manager, CRLs are published to it whenever they are issued or updated.

Registration Authority (RA)

An optional PKI subsystem that acts as a front-end for authenticating and processing enrollment requests, PIN reset requests, and formatting requests.

Dogtag Registration Authority communicates over SSL with the Dogtag Certificate Authority to fulfill the user's requests.

Token Key Service (TKS)

An optional PKI subsystem that manages the master key(s) and the transport key(s) required to generate and distribute keys for hardware tokens. Dogtag Token Key Service provides the security between tokens and an instance of Dogtag Token Processing System, where the security relies upon the relationship between the master key and the token keys. A Dogtag Token Processing System communicates with a Dogtag Token Key Service over SSL using client authentication.

Dogtag Token Key Service helps establish a secure channel (signed and encrypted) between the token and the Dogtag Token Processing System, provides proof of presence of the security token during enrollment, and supports key changeover when the master key changes on the Dogtag Token Key Service. Tokens with older keys will get new token keys.

Because of the sensitivity of the data that Dogtag Token Key Service manages, Dogtag Token Key Service should be set up behind the firewall with restricted access.

Token Processing System (TPS)

An optional PKI subsystem that acts as a Registration Authority (RA) for authenticating and processing enrollment requests, PIN reset requests, and formatting requests from the Enterprise Security Client (ESC).

Dogtag Token Processing System is designed to communicate with tokens that conform to Global Platform's Open Platform Specification.

Dogtag Token Processing System communicates over SSL with various PKI backend subsystems (including the Dogtag Certificate Authority, the Dogtag Data Recovery Manager, and the Dogtag Token Key Service) to fulfill the user's requests.

Dogtag Token Processing System also interacts with the token database, an LDAP server that stores information about individual tokens.

Enterprise Security Client (ESC)

Enterprise Security Client allows the user to enroll and manage their cryptographic smartcards.

The ESC client is available on Linux, Macintosh, and Windows platforms.

Dependencies

BuildRequires

Build-time packages already included in Fedora:

ant

apr-devel

apr-util-devel

cyrus-sasl-devel

httpd-devel >= 2.2.3

idm-console-framework

java-devel >= 1:1.6.0

jpackage-utils

jss >= 4.2.6

ldapjdk

m4

make

mozldap-devel

nspr-devel >= 4.6.99

nss-devel >= 3.12.3.99

pcre-devel

pkgconfig

policycoreutils

selinux-policy-devel

svrcore-devel

tomcat5

velocity

xalan-j2

xerces-j2

zlib

zlib-devel

Build-time Dogtag packages new to Fedora:

osutil

pki-common

pki-symkey

pki-util

tomcatjss

Requires

Runtime packages already included in Fedora:

idm-console-framework

java >= 1:1.6.0

jpackage-utils

jss >= 4.2.6

ldapjdk

mod_nss >= 1.0.7

mod_perl

mod_perl >= 1.99_16

mozldap

mozldap >= 6.0.2

mozldap-tools

nss >= 3.12.3.99

nss-tools >= 3.12.3.99

perl-DBD-SQLite

perl-DBI

perl-HTML-Parser

perl-HTML-Tagset

perl-Parse-RecDescent

perl-URI

perl-XML-NamespaceSupport

perl-XML-Parser

perl-XML-Simple

policycoreutils

selinux-policy-targeted

sendmail

sqlite

tomcat5

velocity

xalan-j2

xerces-j2

Runtime Dogtag packages new to Fedora:

osutil

pki-ca-ui

pki-common

pki-common-ui

pki-console-ui

pki-java-tools

pki-kra-ui

pki-native-tools

pki-ocsp-ui

pki-ra-ui

pki-selinux

pki-setup

pki-silent

pki-symkey

pki-tks-ui

pki-tps-ui

pki-util

tomcatjss

Top-level Dogtag packages new to Fedora:

pki-ca

pki-console

pki-kra

pki-ocsp

pki-ra

pki-tks

pki-tps

Dogtag Subpackages new to Fedora:

osutil-debuginfo

pki-common-javadoc

pki-java-tools-javadoc

pki-native-tools-debuginfo

pki-symkey-debuginfo

pki-tps-debuginfo

pki-tps-devel

pki-util-javadoc

Contingency Plan

N/A as this is a completely new feature and failing to implement it will not affect any other part of the distribution.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, and JBoss are trademarks or registered trademarks of
Red Hat, Inc. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community
maintained site. Red Hat is not responsible for content.